Endpoint 9.5 Quarantine Manager Question

Hello Uwe,

you can't "manage" the Quarantine Manager remotely - at least not directly. On the other hand it is not necessary for it to be "clean" (apart for cosmetic reasons).

Let's start with the simpler questions:

Those Detections are now in the local Quarantine Manager of the Endpoint with no remote access from the Enterprise Console

If an alert is acknowledged from the console and the threat is again detected (either by on-access or a scheduled scan) you'll get a new alert.

While Not cleanable means you can't request cleanup from Resolve alerts and errors... it doesn't mean you can't deal with the threats from the console. Deny access if not cleanable - if you run a scan where the setting is Delete it will in most cases do so.

Suspicious Files:  Deny Access (we didn´t select  "Delete"  due to a greater Amount of false positives)

I assume - haven't asked Sophos - that the reason for not making Delete available from the console is that it is risky. You might (attempt to) delete more than you wanted to. Again you have this option with a scan. To authorize certain suspicious files you simply amend the AV-policy accordingly.

Some threats you will have to handle locally - in these cases usually you also won't be able to deal with them from QM though. Often this is explicitly stated in the threat's analysis anyway.

As you are new my advice is: Take your time to get used to the "SOP"s. Try to solve as many problems as possible using the available features and general management. I have - for example - special groups with "aggressive" policies assigned and if a client is "conspicuous" it is moved to one of these for a few days. Try to get a feeling which threats you have to deal with immediately and which can be "saved for later" (that's not to say you should take them lightly and you should eventually remove them but whatever is detected and blocked will cause no harm as long as on-access is active).

Christian

Hello Uwe,

you can't "manage" the Quarantine Manager remotely - at least not directly. On the other hand it is not necessary for it to be "clean" (apart for cosmetic reasons).

Let's start with the simpler questions:

Those Detections are now in the local Quarantine Manager of the Endpoint with no remote access from the Enterprise Console

If an alert is acknowledged from the console and the threat is again detected (either by on-access or a scheduled scan) you'll get a new alert.

While Not cleanable means you can't request cleanup from Resolve alerts and errors... it doesn't mean you can't deal with the threats from the console. Deny access if not cleanable - if you run a scan where the setting is Delete it will in most cases do so.

Suspicious Files:  Deny Access (we didn´t select  "Delete"  due to a greater Amount of false positives)

I assume - haven't asked Sophos - that the reason for not making Delete available from the console is that it is risky. You might (attempt to) delete more than you wanted to. Again you have this option with a scan. To authorize certain suspicious files you simply amend the AV-policy accordingly.

Some threats you will have to handle locally - in these cases usually you also won't be able to deal with them from QM though. Often this is explicitly stated in the threat's analysis anyway.

As you are new my advice is: Take your time to get used to the "SOP"s. Try to solve as many problems as possible using the available features and general management. I have - for example - special groups with "aggressive" policies assigned and if a client is "conspicuous" it is moved to one of these for a few days. Try to get a feeling which threats you have to deal with immediately and which can be "saved for later" (that's not to say you should take them lightly and you should eventually remove them but whatever is detected and blocked will cause no harm as long as on-access is active).

Christian